The modern data center enterprise is made up of mobile workers and many offices of different sizes. The problem is branch connectivity is left out of the modernization effort. The days of a single main headquarters data center location are over, organizations need a way to simplify the way branch office connectivity works.
The Internet Connected Branch Office
Traditionally, most connectivity to primary data center resources was through private Multi-Protocol Label Switching (MPLS) circuits. MPLS is a mechanism for routing traffic within a telecommunications network as data travels from one network node to the next. MPLS supports a number of network services including VPNs (Virtual Private Networks), traffic engineering (TE) and Quality of Service (QoS).
The problem for many organizations is more than half of all branch office traffic is now bound for the Internet and no longer requires an MPLS-based network. Users in these offices are connecting to trusted services like Salesforce.com, Office 365 and G-Suite.
In addition, the Internet is a challenge to MPLS for core data center connectivity. Vendors like Silver Peak are delivering SD-WAN (Software Defined Wide Area Networks) that provide solutions to integrate broadband Internet connections in the WAN transport mix in addition to or sometimes instead of traditional MPLS connections.
As a result many organizations are looking to move away from MPLS to save money and be more efficient.
MPLS-based networks are proving inefficient for the WAN as applications traffic destined for the Internet must be backhauled to the data center and out to the cloud and back through the data center to the branch which requires incremental bandwidth and impairs SaaS performance. SD-WAN enables the usage of broadband connectivity and enables secure direct branch access to cloud-based applications, lowering costs and improving application performance and ultimately user satisfaction and productivity.
Silver Peak Unity Edge Connect
The Silver Peak Unity EdgeConnect SD-WAN solution is designed to free the branch office from all the overhead and legacy equipment associated with WAN connectivity. It also optimizes the communication path allowing direct-to-internet routing. Unity EdgeConnect is available as a physical appliance or can run as a virtual machine.
Since many organizations leverage internet-based software as a service (SaaS) solutions, they want to route that traffic directly to the provider of the service instead of backhauling traffic back to the data center. Routing SaaS traffic back to the data center wastes bandwidth and increases latency. First-packet iQ identifies traffic intended for a SaaS provider on the first packet and routes the traffic directly to the internet. First-packet iQ can identify over 10,000 applications and over 300 million web-domains.
Traffic intended for unapproved sites or services can be routed to more advanced security and monitoring services provided at regional hubs or at the data center.
Silver Peak Unity Orchestrator global management software centrally assigns business intent policies to control and secure all EdgeConnect SD-WAN traffic. One capability Orchestrator provides is seamless service chaining that delivers highly granular security policies to automatically protect the branch office. For example, IT can address the above traffic types by setting policies like:
- Send all known, trusted business SaaS and web app traffic directly to the internet
- Send “home from work” applications like twitter, Facebook and YouTube to a secure web gateway to ensure that no company proprietary information is sent
- Send all untrusted, suspicious and unknown applications back to a hub or headquarters-based firewall for additional security inspection
For branch offices that are not hosting applications, EdgeConnect offers basic firewall protection. It allows traffic out but only allows inbound traffic that is in response to user initiated sessions. It creates a trusted whitelist of SaaS applications, sending that traffic directly to the internet. It directs all other traffic to a secure web gateway or a more advanced firewall at the primary data center.
Software Defined Transition
SD-WAN and “thin branch” may not make sense for every branch office and the transition typically can’t be done all at once. Silver Peak EdgeConnect provides interoperability with BGP protocols to support a full mesh network. BGP allows a gradual transition to an SD-WAN so organizations don’t need to throw out their existing investment in WAN equipment. Also there may be branch offices, especially those that host applications, that justifies a more robust WAN solution.
A key component of data center modernization is dealing and even taking advantage of the decentralization of the organization. Organizations need talent and instead of relocating that talent they are setting up a number of remote offices. Those remote offices require high performance connectivity to trusted SaaS applications and, at the same time, the security a firewall provides.
The race is on for talent, and armed with a solution like EdgeConnect, IT can provide the ability for branch offices to have the performance they need to feel like an equal part of the organization and protect the branch from security threats.